There are two kinds of STS: an Identity Provider STS
(IP-STS) and a Relying Party STS(RP-STS).

An IP-STS authenticates a client using, for
example, Windows integrated authentication. It creates a SAML token
based on the claims provided by the client, and might add its own
claims. A Relying Party application (RP) receives the SAML token
and uses the claims inside to decide whether to grant the client
access to the requested resource.

An RP-STS does not authenticate the client,
but relies on a SAML token provided by an IP-STS that is trusts.
Typically, an IP-STS is found in the client’s domain, whereas an
RP-STS is found in the RP’s domain. This is shown the following
diagram.